MySQL Enterprise Firewall is an application-level firewall that enables database administrators to permit or deny SQL statement execution based on matching against allowlists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics.
Each MySQL account registered with the firewall has its own statement allowlist, enabling protection to be tailored per account. For a given account, the firewall can operate in recording, protecting, or detecting mode, for training in the accepted statement patterns, active protection against unacceptable statements, or passive detection of unacceptable statements.
MySQL Enterprise Firewall installation is a one-time operation that involves running
a script located in the share
directory of
your MySQL installation.
To install MySQL Enterprise Firewall:
-
Run the
linux_install_firewall.sql
script that is located in the/usr/local/mysql/share
directory.The installation script creates stored procedures in the default database, so choose a database to use. Then run the script as follows, naming the chosen database on the command line. This deployment uses the
mysql
database.$> cd /usr/local/mysql $> bin/mysql -u root -p mysql < /usr/local/mysql/share/linux_install_firewall.sql Enter password: (enter root password here)
-
To enable the firewall, enable the
mysql_firewall_mode
system variable. By default, this variable is enabled when the firewall is installed. To configure the firewall state explicitly, add it under the[mysqld]
option group in the MySQL configuration file:mysql_firewall_mode=ON
-
Restart MySQL server to apply the new configuration settings.
$> systemctl restart mysqld
-
To verify that MySQL Enterprise Firewall is enabled, connect to the server and execute this statement:
$> cd /usr/local/mysql $> bin/mysql -u root -p Enter password: (enter the root password here)
mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode'; +---------------------+-------+ | Variable_name | Value | +---------------------+-------+ | mysql_firewall_mode | ON | +---------------------+-------+
MySQL Enterprise Firewall is now enabled an ready for use. For information about registering accounts with the firewall and configuring operational modes, see Using MySQL Enterprise Firewall. An example is provided that demonstrates how to register an account with the firewall, use the firewall to learn acceptable statements for the account, and protect the account against execution of unacceptable statements.